Nmap Development mailing list archives

Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib

From: Daniel Miller <bonsaiviking () gmail com>
Date: Thu, 26 Jul 2012 16:47:46 -0500

On 07/26/2012 03:41 PM, Henri Doreau wrote:

Hello,

I think that the following patch should be ported to trunk. Nmap
currently doesn't even connect to RPC services if not run in
privileged mode. I agree that attempting to bind to a <1024 port is a
good thing to try but if not possible that shouldn't stop the
execution flow.

Regards.

2012/7/26  <commit-mailer () insecure org>:

Author: henri
Date: Thu Jul 26 13:38:43 2012
New Revision: 29382

Log:
Attempt to connect even if nmap runs in non privileged mode.


Modified:
    nmap-exp/kroosec/rpc-grind/nselib/rpc.lua

Modified: nmap-exp/kroosec/rpc-grind/nselib/rpc.lua
==============================================================================
--- nmap-exp/kroosec/rpc-grind/nselib/rpc.lua   (original)
+++ nmap-exp/kroosec/rpc-grind/nselib/rpc.lua   Thu Jul 26 13:38:43 2012
@@ -171,12 +171,10 @@
            -- Try to bind to a reserved port
            for resvport = 600, 1024, 1 do
              status, err = socket:bind(nil, 1000)
-            if status then
-              status, err = socket:connect(host, port)
-              if status then break end
-            end
+            if status then break end
            end
          end
+        status, err = socket:connect(host, port)
        else
          socket = nmap.new_socket("udp")
          if nmap.is_privileged() then

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Henri,

I introduced this code, since many NFS servers won't respond if theclient is not bound to a reserved port. I confess the order of socketcalls and return values was confusing to me, but based on what Iremember from my testing, I don't think this will work.

The specific bug condition is when the socket tries to bind to a portthat is in use. The NSE socket:bind call will not fail like a C bind(2)call would. Instead, the failure comes when trying to dosocket:connect(). That's why the code loops over ports from 600 to 1000until it finds one that works.

A better way would be to check if any of those reserved ports succeeded,and if not, socket:bind(nil,nil) to clear the error condition and justconnect with any port.


Dan
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 26)
- Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Daniel Miller (Jul 26)
  - Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Patrik Karlsson (Jul 26)
    - Message not available
    - Message not available
    - Re: [nmap-svn] r29382 - nmap-exp/kroosec/rpc-grind/nselib Henri Doreau (Jul 27)